Click here to load reader

MPLS Layer 2 and Layer 3 Deployment Best Practice Guidelines · MPLS Layer 2 and Layer 3 Deployment Best Practice Guidelines Monique Morrow ... Multicast VPN Layer 2/3 Management

  • View
    239

  • Download
    2

Embed Size (px)

Text of MPLS Layer 2 and Layer 3 Deployment Best Practice Guidelines · MPLS Layer 2 and Layer 3 Deployment...

  • 1 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    MPLS Layer 2 and Layer 3 Deployment Best Practice

    Guidelines Monique Morrow

    [email protected] 21 2005

  • 222 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Prerequisites and Scope

    Must understand fundamental MPLS principles

    Must understand basic routing especially BGP

  • 333 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Agenda Dynamics and Background Layer 3 : Half-Duplex VRF Inter-Provider Considerations Layer 2 Deployment Considerations A Word on VPLS A Word on Traffic Engineering Management Considerations and MPLS OAM Security Considerations What About G-MPLS? Summary

  • 444 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Service Provider Network Operation

    Create operational efficiencies and increase automation in a highly technology-intensive market

    Enable competitive differentiation and customer retention through high-margin, bundled services

    Progressively consolidate disparate networks Sustain existing business while rolling out new services

    OSS

    OSS

    TDM

    FR, ATM

    TDM

    FR, ATM

    IP

    OSSOSS

    OSS

    IP

    MPLS

    TDM FR, ATMOSS

  • 555 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    MPLSs Momentum in Convergence & Service Creation

    IDC, July 2004:

    Increasingly, service providers use MPLS as the cornerstone for traffic routing capabilities for convergedframe, ATM, and packet based networks to improve QoSvisibility and assure service level guarantees.

    CIBC World Markets, June 2004:

    The most significant trend was a wholesale shift to IP-MPLS as the new foundation technology for carriersdata networks. This transition appears irreversible and is gaining momentum surprisingly fast.

    Heavy Reading Jan. 2004:

    Most of the worlds telecom service providers now agree in principle that they must migrate to converged backbones, and that MPLS (MultiprotocolLabel Switching) technology will enable this migration.

    Heavy Reading Sep. 2003:

    MPLS is gaining support from MSPP vendors as a key mechanism for enabling packet services, QoS, and traffic engineering in the metro.

    Even in Dilbert Comic Strip, May 2004:

  • 666 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    MPLS Services and Transport Network Management

    MSEL3VPN

    L2VPN

    Traffic Engineering

    L2TPv3

    AToM

    Scale

    Performance

    ATM/FR legacy feature parity

    ProgrammableInterface

    Connection ManagementL2/L3 + Optical

    InterworkingMAC address Management

    Metro E

    Provisioning OAM & TroubleshootingTraffic Eng

    L3VPN instrumentation

    Low End EdgeEvolution from today

    Managing CPE

    VLAN Management

    L2 Switch Management

    Multicast VPN

    Layer 2/3 Management Essentials: IP/MPLS Routing, QoS, TE, OAM, HA

  • 777 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Agenda Dynamics and Background Layer 3 : Half-Duplex VRF Inter-Provider Considerations Layer 2 Deployment Considerations A Word on VPLS A Word on Traffic Engineering Management Considerations and MPLS OAM Security Considerations What About G-MPLS? Summary

  • 888 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Only way to implement hub and spoke topology is to put every spoke into a single and unique VRF

    Ensures that spokes do not communicate directly

    Single VRF model, which does not include HDV, impairs the ability to bind traffic on the upstream ISP Hub

    Why Half Duplex VRFs?Problem

  • 999 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    HDV allows the wholesale Service Provider to provide true hub and spoke connectivity to subscribers, who can be connected to the:

    Same or different PE-router(s)Same or different VRFs, via the upstream ISP

    Why Half Duplex VRFs?Solution

  • 101010 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Problem PE requires multiple VRF tables for multiple VRFs to push spoke traffic via hubIf the spokes are in the same VRF (no HDV), traffic will be switched locally and will not go via the hub site

    SolutionHDVs allows all the spoke site routes in one VRF

    BenefitScalability for Remote Access to MPLS connectionsReduces memory requirements by using just two VRF tablesSimplifies provisioning, management, and troubleshooting by reducing the number of Route Target and Route Distinguisher configuration

    Technical Justification

  • 111111 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    PE MPLSCORE ISP

    ISPHUB

    VPNport

    VPN port

    VPNport

    A

    B

    All the spokes in the same VPN (yellow)

    Dedicated (separate) VRF per spoke is needed to push all traffic through upstream ISP Hub

    Spoke AVRF

    Spoke BVRF

    CEHUBSite PE

    SpokeSite PE

    Hub & Spoke Connectivity Without HDVRequires Dedicated VRF Tables Per Spoke

  • 121212 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    PE MPLSCORE ISPCE

    ServiceLoopback

    HUB

    VPNport

    VPNport

    VPN port

    A

    B

    If two subscribers of the same service terminate on the same PE-router, then traffic between them can be switched locally at the PE-router (as shown), which is undesirable

    All inter-subscriber traffic needs to follow the default route via the Home Gateway (located at upstream ISP).

    Single VRF table

    HubSite PE

    SpokeSite PE

    Hub & Spoke Connectivity Without HDV Using A Single VRF

  • 131313 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Upstream VRFUsed to forward packets from Spokes to HubContains a static default route

    Downstream VRFUse to forward packets from Hub to SpokeContains a /32 route to a subscriber (installed from PPP)

    Terminology

  • 141414 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    PE MPLSCORE ISPCE

    HUB

    VPNport

    VPNport

    VPN port

    A

    B

    If two subscribers of the same service terminate on the same PE-router, traffic between them is not switched locally

    All inter-subscriber traffic follows the default route via the Home Gateway (located at upstream ISP)

    Single VRF table

    HUBSite PE

    SpokeSite PE

    Hub & Spoke Connectivity With HDVUsing A Single VRF

  • 151515 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    1. HDVs are used in only one direction by incoming traffic Ex: upstream toward the MPLS VPN backbone or downstream toward the attached subscriber

    2. PPP client dial, and is authenticated, authorized, and assigned an IP address.

    3. Peer route is installed in the downstream VRF tableOne single downstream VRF for all spokes in the single VRF

    4. To forward the traffic among spokes (users), upstream VRF is consulted at the Spoke PE and traffic is forwarded from a Hub PE to Hub CE

    Return path: downstream VRF is consulted on the Hub PE before forwarding traffic to appropriate spoke PE and to the spoke (user)

    5. Source address look up occurs in the downstream VRF, if unicast RPF check is configured on the interface on which HDV is enabled

    Half Duplex VRF Functionality

  • 161616 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    1. PPP user initiates a session with PPP session using a name [email protected] and password

    2. LAC/PE-router sends username information to the WholesaleServiceProvider Radius Server3. ISP-A (service name) is used to index into a profile that contains information on the IP

    address of the Radius server of the ISP-A4. [email protected] and password is then forwarded from the Wholesale Provider

    Radius server (which acts as a "proxy-radius"), towards the ISP Radius server5. ISP-A Radius server authenticates and assigns IP address6. ISP-A Radius server sends "Access-Accept" to Wholesale Service Provider Radius Server7. The wholesale Service Provider Radius server adds authorization information to the

    Access-Accept, (based on the domain or servicename)and the VRF to be used by Subscriber-A, and forwards it to PE-WholesaleProvider-LAC router

    8. PE-WholesaleProvider-LAC router creates temporary Virtual-Access interface (with associated /32 IP address) and places it into the appropriate VRF

    PE-WholeSaleProvider-LAC PE-ISP

    PPP UserSubscriber-A

    Wholesale Service Provider AAA Server

    ISP-AAAA Server

    MPLS Core

    Subscriber Connection Process

  • 171717 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Reverse Path Forwarding (RPF)Used by Service Provider determine the source IP address of an incoming IP packet and ascertain whether it entered the router via the correct inbound interface

    ConcernHDV populates a different VRF than the one used for upstreamforwarding

    SolutionExtend the RPF mechanism so the downstream VRF is checked

    To enable RPF extension, configure:ip verify unicast reverse-path

    Reverse Path Forwarding Check

  • 181818 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    PE Home Gateway

    MPLSCORE ISPPE CE

    ServiceLoopback

    ServiceLoopback

    HUBPE

    SPOKE 1

    SPOKE 2

    vpn port

    vpn port

    vpn port

    A

    B

    Upstream traffic (ie: traffic toward the upstream ISP or toward another subscriber) is sent to the hub PE-router and forwarded across the link between the wholesale SP and the ISP

    Subscriber traffic follows a default route within the VRF Traffic is forwarded towards and received from the wholesale

    Service Providers PE-router and the subscriber

    Topology I: Hub and Spoke Connectivity Between Distributed PE-Routers

  • 191919 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    PE

    Home Gateway

    MPLSCORE

    ISPPE CE

    ServiceLoopback

    ServiceLoopback

    HUB

    PE

    SPOKE 1

    SPOKE 2

    vpnport

    vpnport

    vpn portA

    B Home Gateway

    ISPPE CEHUB

    vpn port

    NAP

    Data flow between two subscribers that belong to different services goes through the hub location of the Service Provider

    Data will traverse through a network exchange point, either public or private, by following a default route within the subscriber VRF

    Topology II: Hub and Spoke Connectivity Between Subscribers Of Different Services

  • 202020 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Home Gateway

    MPLSCORE

    ISPPE CEHUB

    vpnport

    Home Gateway

    ISPPE CEHUB

    vpnport

    PEService

    Loopbacks

    SPOKE 1

    vpnport

    vpnport

    A

    B

    If two subscribers are terminated on the same PE-router and belong to different services, the data is required to traverse through the home gateways of both services.

    Topology III: Hub and Spoke Connectivity Via the Same PE-Router (Different Services)

  • 212121 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Agenda Dynamics and Background Layer 3 : Half-Duplex VRF Inter-Provider : Layer 3 Inter-Provider: Layer 2 A Word on VPLS A Word on Traffic Engineering Management Considerations and MPLS OAM Security Considerations What About G-MPLS? Summary

  • 222222 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    VPN Connectivity between AS#s

    VPN sites may be geographically dispersedRequiring connectivity to multiple providers, or different

    regions of the same provider

    Transit traffic between VPN sites may pass through multiple AS#sThis implies that routing information MUST be exchanged

    across AS#s

    Distinction drawn between Inter-Provider & Inter-AS

  • 232323 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Inter-Provider Vs. Inter-AS

    Inter-Provider Connectivity

    SF POP

    LA POP

    NY POP

    RRRR

    RRRR

    ASBR

    RR RR

    WASH POP

    RRRR

    ASBR

    Service Provider A

    ASBR

    ASBR

    Service Provider B

  • 242424 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Inter-Provider Vs Inter-AS

    Inter-AS Connectivity

    Service Provider A

    European Region

    NY POP

    WASH POP

    ASBR

    ASBR

    LON POP

    Service Provider A

    North America Region

  • 252525 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    VPN Route Distribution

    PE-1

    Edge Router

    CE-1

    149.27.2.0/24

    VPN-A VRFImport routes with

    route-target 123:231

    How to distribute VPNv4 routes between different ASs ?

    AS# 123 AS# 456

    VPN-v4 update:RD:123:27:149.27.2.0/24,NH=PE-1RT=123:231, Label=(28)

    VPN-v4 update:RD:123:27:149.27.2.0/24,NH=PE-1RT=123:231, Label=(28)

    San Jose

    149.27.2.0/24,NH=CE-1

    149.27.2.0/24,NH=CE-1

    New York

    CE-2

    PE-2

    Service Provider A

    Service Provider B

    AS# 124

    Service Provider A

    Edge Router

  • 262626 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    VPN Route Distribution Options

    ASBR ASBR

    Several options available for route distribution

    AS# 123 AS# 456

    Multihop MP-eBGP between RRs

    Back-to-back VRFs

    MP-eBGP for VPNv4

    Option A

    Option B

    Option C

    Service Provider A

    Service Provider B

  • 272727 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Option A Back-to-back VRFs

    2547 providers exchange routes between ASBRs over VRF interfacesHence ASBR is known as a PE-ASBR

    Each PE-ASBR router treats the other as a CE routerAlthough both provider interfaces are associated with a VRF

    Provider edge routers are gateways used for VPNv4 route exchange

    PE-ASBR link may use any PE-CE routing protocol

  • 282828 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Back-to-back VRF Connectivity Model

    PE-1

    PE-ASBR PE-ASBR

    CE-1

    149.27.2.0/24

    AS# 123 AS# 456

    VPN-AVPN-A

    CE-4

    PE-2

    VPN-B

    CE-2

    152.12.4.0/24

    One logical interface & VRF per

    VPN client

    CE-3

    VPN-B

    Service Provider A

    Service Provider B

  • 292929 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Back-to-back Prefix Distribution

    PE-1

    PE-ASBR1 PE-ASBR2

    AS# 123 AS# 456PE-2

    VPN-B

    CE-2

    152.12.4.0/24

    CE-3

    VPN-B

    152.12.4.0/24,NH=CE-2

    152.12.4.0/24,NH=CE-2

    VPN-v4 update:RD:123:27:152.12.4.0/24,NH=PE-1RT=123:222, Label=(29)

    VPN-v4 update:RD:123:27:152.12.4.0/24,NH=PE-1RT=123:222, Label=(29)

    VPN-B VRFImport routes with

    route-target 123:222

    BGP, OSPF, RIPv2 152.12.4.0/24 NH=PE-ASBR1

    BGP, OSPF, RIPv2 152.12.4.0/24 NH=PE-ASBR1

    VPN-v4 update:RD:123:27:152.12.4.0/24,NH=PE-ASBR-2RT=456:222, Label=(92)

    VPN-v4 update:RD:123:27:152.12.4.0/24,NH=PE-ASBR-2RT=456:222, Label=(92)

    VPN-B VRFImport routes with

    route-target 456:222

    152.12.4.0/24,NH=PE-2

    152.12.4.0/24,NH=PE-2

    Service Provider A

    Service Provider B

  • 303030 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Back-to-back Packet Flow

    PE-1

    PE-ASBR1 PE-ASBR2

    AS# 123 AS# 456PE-2

    VPN-B

    CE-2

    152.12.4.0/24

    CE-3

    VPN-B

    152.12.4.1

    LDP PE-ASBR-2 Label 92

    152.12.4.1152.12.4.1LDP PE-1 Label

    29152.12.4.1

    152.12.4.1

    Service Provider A

    Service Provider B

  • 313131 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Scalability is an issue with many VPNs1 VRF & logical interface per VPNGateway PE-ASBR must hold ALL routing information

    PE-ASBR must filter & store VPNv4 prefixes No MPLS label switching required between providers

    Standard IP between gateway PE-ASBRsNo exchange of routes using External MP-BGPSimple deployment but limited in scopeHowever, everything just works

    Back-to-back VRFs Summary

  • 323232 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Option B External MP-BGP

    Gateway ASBRs exchange VPNv4 routes directlyExternal MP-BGP for VPNv4 prefix exchange. No LDP/IGP

    BGP next-hop set to advertising ASBRNext-hop/labels are rewritten when advertised across ASBR-

    ASBR link

    ASBR stores all VPN routes that need to be exchangedBut only within the BGP table. No VRFs. Labels are populated

    into LFIB at ASBR

  • 333333 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Label allocation at receiving PE-ASBR

    Receiving gateway ASBR may allocate new labelControlled by configuration of next-hop-selfLFIB holds new label allocation

    Receiving ASBR automatically creates a /32 host route for its ASBR neighborWhich must be advertised into receiving IGP if next-hop-self

    is not in operation (to maintain the LSP)

  • 343434 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    External MP-BGP Connectivity Model

    PE-1

    ASBR-1 ASBR-2

    CE-1

    149.27.2.0/24

    AS# 123 AS# 456

    VPN-AVPN-A

    CE-4

    PE-2

    VPN-B

    CE-2

    152.12.4.0/24

    CE-3

    VPN-B

    Label exchange between Gateway

    ASBR routers using MP-eBGP

    External MP-BGP for VPNv4

    Service Provider A

    Service Provider B

  • 353535 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    External MP-BGP Prefix Distribution

    PE-1

    ASBR-1 ASBR-2

    AS# 123 AS# 456PE-2

    Green VPN

    CE-2

    152.12.4.0/24

    CE-3

    Green VPN

    152.12.4.0/24,NH=CE-2

    152.12.4.0/24,NH=CE-2

    VPN-v4 update:RD:123:27:152.12.4.0/24,NH=PE-1RT=123:222, Label=(29)

    VPN-v4 update:RD:123:27:152.12.4.0/24,NH=PE-1RT=123:222, Label=(29)

    VPN-v4 update:RD:123:27:152.12.4.0/24, NH=ASBR-2RT=123:222, Label=(92)

    VPN-v4 update:RD:123:27:152.12.4.0/24, NH=ASBR-2RT=123:222, Label=(92)

    152.12.4.0/24,NH=PE-2

    152.12.4.0/24,NH=PE-2

    VPN-v4 update:RD:123:27:152.12.4.0/24,NH=ASBR-1RT=123:222, Label=(42)

    VPN-v4 update:RD:123:27:152.12.4.0/24,NH=ASBR-1RT=123:222, Label=(42)

    Service Provider A

    Service Provider B

  • 363636 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    External MP-BGP Packet Flow

    PE-1

    ASBR-1 ASBR-2

    AS# 123 AS# 456PE-2

    Green VPN

    CE-2

    152.12.4.0/24

    CE-3

    Green VPN

    152.12.4.1

    LDP PE-1 Label 29

    152.12.4.1

    152.12.4.1

    LDP PE-ASBR-2 Label 92

    152.12.4.1

    152.12.4.192

    42 152.12.4.1

    29 152.12.4.1

    Service Provider A

    Service Provider B

  • 373737 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    VPN Client Connectivity

    VPN-A-1VPN-A-2

    PE-1PE-1

    PE2PE2

    CE2 CE2

    Edge Router1Edge Router1 Edge Router2Edge Router2

    CE-1 CE-1

    VPN Sites Attached to Different MPLS VPN Service Providers

    VPN Sites Attached to Different MPLS VPN Service Providers

    AS #1 AS #2

    149.27.2.0/24149.27.2.0/24

    VPN-A VRFImport Routes withRoute-target 1:231

    How to Distribute Routes between

    SPs?

    How to Distribute Routes between

    SPs?

    VPN-v4 Update:RD:1:27:149.27.2.0/24,

    NH=PE-1RT=1:231, Label=(28)

    BGP, OSPF, RIPv2 149.27.2.0/24,NH=CE-1

  • 383838 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    External MP-BGP Summary

    Scalability less of an issue when compared to back-to-back VRF connectivityOnly 1 interface required between ASBR routersNo VRF requirement on any ASBR router

    Automatic route filtering must be disabledHence filtering on RT values essentialImport of routes into VRFs is NOT required (reduced memory

    impact)

    Label switching required between ASBRs

  • 393939 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    External MP-BGP Summary (Cont).

    Preferred option for Inter-Provider connectivityNo IP prefix exchange required between providersSecurity is tighterPeering agreements specify VPN membership

  • 404040 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    VPNv4 Distribution Options

    PE-1PE-1

    PE-2PE-2

    CE-2 CE-2

    MP-eBGP for VPNv4

    Multihop MP-eBGPbetween RRs

    Other Options Available, These Two Are the Most Sensible

    Other Options Available, These Two Are the Most Sensible

    AS #1 AS #2

    PE-ASBR-1PE-ASBR-1 PE-ASBR-2PE-ASBR-2

    CE-1 CE-1

    VPN-A-1 VPN-A-2

  • 414141 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    ASBR Router Protection/Filtering

    MP-eBGP session is authenticated with MD5Potentially also IPSec in the data plane

    Routing updates filtered on ingress based on extended communitiesBoth from internal RRs and external peeringsORF used between ASBRs and RRs. Maximum-prefix on MP-BGP session

    Per-interface label space for external facing links to avoid label spoofing

  • 424242 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Option C Multihop MP-eBGP between RRs

    2547 providers exchange VPNv4 prefixes via RRsRequires multihop MP-eBGP session

    Next-hop-self MUST be disabled on the RRsPreserves next-hop/label as allocated by originating PE router

    Providers exchange IPv4 routes with labels between directly connected ASBRs using External BGPOnly PE router BGP next-hop addresses exchangedRFC3107 "Carrying Label Information in BGP-4"

  • 434343 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    RFC3107 Carrying labels with BGP-4

    MP_REACH_NLRI Attribute MP_REACH_NLRI Attribute (Specified in RFC 2858)(Specified in RFC 2858)

    Prefix plus MPLS label Prefix plus MPLS label (Specified in RFC 3107)(Specified in RFC 3107)

    0 1 2 3

    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    | Address Family Identifier (1)Address Family Identifier (1) | SAFI (4)SAFI (4) | NextNext--hop Lthhop Lth |

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    | Network Address of nextNetwork Address of next--hop (variable)hop (variable) |

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    | # of SNPAs# of SNPAs | Network Layer Reachability Info (variable)Network Layer Reachability Info (variable) |

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    | Length Length | MPLS Label MPLS Label |

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    | | Prefix (variable) |

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

  • 444444 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Multihop MP-eBGP Connectivity Model

    PE-1

    CE-1

    149.27.2.0/24

    AS# 123 AS# 456

    VPN-A VPN-A

    CE-4

    PE-2

    VPN-B

    CE-2

    152.12.4.0/24

    CE-3

    VPN-B

    Multihop MP-eBGP for VPNv4 (via next-hop-unchanged)

    ASBR-1 ASBR-2

    RFC3107

    RR-1

    Service Provider A

    RR-2

    Service Provider B

    ASBRs exchange BGP next-hop addresses

    with labels

  • 454545 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Multihop MP-eBGP Prefix Distribution

    PE-1AS# 123 AS# 456

    PE-2

    Green VPN

    CE-2

    152.12.4.0/24

    CE-3

    Green VPN

    ASBR-1 ASBR-2

    RR-1 RR-2

    152.12.4.0/24,NH=CE-2

    152.12.4.0/24,NH=CE-2

    VPN-v4 update:RD:123:27:152.12.4.0/24,NH=PE-1RT=123:222, Label=(29)

    VPN-v4 update:RD:123:27:152.12.4.0/24,NH=PE-1RT=123:222, Label=(29)

    VPN-v4 update:RD:123:27:152.12.4.0/24,NH=PE-1RT=123:222, Label=(29)

    VPN-v4 update:RD:123:27:152.12.4.0/24,NH=PE-1RT=123:222, Label=(29)

    VPN-v4 update:RD:123:27:152.12.4.0/24,NH=PE-1RT=123:222, Label=(29)

    VPN-v4 update:RD:123:27:152.12.4.0/24,NH=PE-1RT=123:222, Label=(29)

    Service Provider A

    Service Provider B

    Network=PE-1 NH=ASBR-1Label=(47)

    Network=PE-1 NH=ASBR-1Label=(47)

    Network=PE-1 NH=ASBR-2Label=(68)

    Network=PE-1 NH=ASBR-2Label=(68)

  • 464646 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Multihop MP-eBGP Packet Flow

    PE-1

    ASBR-1 ASBR-2

    AS# 123 AS# 456PE-2

    Green VPN

    CE-2

    152.12.4.0/24

    CE-3

    Green VPN

    152.12.4.1

    LDP PE-1 Label 29

    152.12.4.1

    152.12.4.1

    152.12.4.129

    29 152.12.4.1LDP ASBR-2 Label

    68 29

    152.12.4.1

    68

    152.12.4.12947

    Service Provider A

    Service Provider B

  • 474747 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Multihop MP-eBGP Summary

    More scalable than previous optionsAs all VPNv4 routes held on route reflectors rather than the

    ASBRs

    Route reflectors hold VPNv4 informationEach provider utilizes route reflectors locally for VPNv4

    prefix distributionExternal BGP connection added for route exchange

    BGP next-hops across ASBR links using RFC3107Separation of forwarding/control planes

  • 484848 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Agenda Dynamics and Background Layer 3 : Half-Duplex VRF Inter-Provider : Layer 3 Inter-Provider: Layer 2 A Word on VPLS A Word on Traffic Engineering Management Considerations and MPLS OAM Security Considerations What About G-MPLS? Summary

  • 494949 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Inter-provider PW

    AS10 AS20Provider B

    We will refer to an Inter-provider model when a pseudo-wire circuit will span across 2 different service providers domains or ASs

    - In this model, the SP will have no or very limited trust between people managing different ASs

    - Different providers will certainly apply different QoS policies, definition and implementation.

    - Inter-provider model will have to have mechanisms for Security and QoS mediation

    Provider A

  • 505050 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Inter-AS PW

    AS1 AS2

    AS3 AS4

    Provider A

    We will refer to Inter-AS model when a provider (Provider A) has, divided its network within multiple domain or ASes.

    - In this model, degree of trust between people managing different ASes,

    - In general QoS definition and implementation will be consistent across ASes

  • 515151 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Pseudo-wire Stitching /Switching Model

    Pseudo-wire stitching mechanism is the mechanism that permits a service provider to extend an existing pseudo-wire with an other pseudo-wire. In an other words, to replace the attached circuit by an other pseudowire from same type (atom pw with atom pw) or different type (atom pw with l2tpv3 pw).

    AS 1AS 2

    attached-circuit 1

    Pwvc 112

    pwvc 111

    attached-circuit 3

    attached-circuit 4 attached-circuit 6

    pwvc 11

    pwvc 12 ASBR-1ASBR-2 pwvc 152

    pwvc 151PE-1

    PE-2

    PE-3

    PE-4

    pseudo-wire pseudo-wireattached-circuit Pseudo-wire attached-circuit

    L2 signalling (UNI) LDP / L2TPv3 LDP / L2TPv3LDP/L2TPv3 L2 signalling (UNI)

    VPWS

    Auto-discovery

    (MP-iBGP)

    VPWS

    Auto-discovery

    (MP-iBGP)

    VPWS

    Auto-discovery

    (MP-eBGP)

  • 525252 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Pseudo-wire Stitching modelPro

    -QoS model : Re-coloring of EXP value will works

    - Security model : light trustiness (LDP, IGP cross boundary of SPs but is limited to neighbour ASBR)

    - Link between ASBRs is independent of attached-circuit media, on same link, we could have ATM, FR, Ethernet pseudowire, and/or other services (IP, MPLS-VPN, )

    - De-jitter mechanism of De-cell-packing mechanism could occur only at egress PEs

    Cons

    - Required to develop pseudowire stitching mechanism and/or to extend auto-discovery mechanism to support multi-as signalling.

    - QoS Model: Lots of function like shaping and policing function on per pseudowire will required to be developed

    - PW redundancy not optimized when NOT USING auto-discovery mechanism

  • 535353 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Multi-AS tunnel LSP model

    In this model we ruse existing RFC2457bis Multi-AS 10c or Multi-AS TE to build end-end tunnel LSP and to build end-end pseudowire VCs

    AS 1AS 2

    attached-circuit 1

    attached-circuit 3

    attached-circuit 4 attached-circuit 6

    ASBR-1ASBR-2

    PE-1

    PE-2

    PE-3

    PE-4

    pseudo-wireattached-circuit

    Tunnel LSP

    (with 2547bis multi-as model 10c or multi-AS TE)

    attached-circuit

    L2 signalling (UNI) LDP / L2TPv3 L2 signalling (UNI)

    VPWS

    Auto-discovery

    (MP-iBGP)

    VPWS

    Auto-discovery

    (MP-iBGP)

    VPWS

    Auto-discovery

    (MP-eBGP)

    pwvc 111

    pwvc 112

  • 545454 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Inter-AS tunnel LSP model

    Pro

    - Multi-AS model 10c or Inter-AS TE is developed.

    - Link between ASBRs is independent of attached-circuit media, on same link, we could have ATM, FR, Ethernet pseudowire, and/or other services (IP, MPLS-VPN, )

    - PW redundancy can be optimized by optimizing end-end tunnel LSP technique

    - De-jitter mechanism of De-cell-packing mechanism could occur only at egress PEs

    - Ease to provisioning

    Cons

    - Security model : Untrusted (LDP, IGP cross boundary of ASes)

    - QoS Model: Lots of functions like CoS re-coloring, shaping and policing will not be possible at ASBR (VC labels have NO signification for ASBR).

  • 555555 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    In summary (what to deploy ?)

    When SP will connect 2 or more of their ASes together (Inter-AS model), the 2nd & 3th model will be certainly the most popular one.

    When the SP will connect to other SPs (Inter-Provider model), the 1st model will be certainly the most popular model to start with.

    If SPs start to have numerous circuits with some specific partners, then the second model may be interesting to consider.

  • 565656 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Deployment/Architecture Challenges

    As with all technologies there are challengesControl-plane ScaleFiltering & route distributionSecurityMulticastQOS/End-to-end SLAsIntegration of services e.g. Layer-2/Layer-3Network ManagementTraffic Engineering

    Opportunity for industry collaborative development!

  • 575757 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Agenda Dynamics and Background Layer 3 : Half-Duplex VRF Inter-Provider : Layer 3 Inter-Provider: Layer 2 A Word on VPLS A Word on Traffic Engineering Management Considerations and MPLS OAM Security Considerations What About G-MPLS? Summary

  • 585858 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    100 MbpsEthernet

    RemoteWorker

    Ethernet-ConnectedBranch

    RemoteOffice 1

    RemoteOffice 2

    RegionalHeadquarters

    Ethernet-ConnectedBranch

    10 MbpsEthernetEthernet,SONET/SDH,

    RPR,DWDM/CWDM,

    MPLS/IPSubscriber

    STB

    Residential CPEMultitenant Unit (MTU)

    Basement Access Device

    Internet PSTN

    Web HostingWeb HostingDirectory ServicesDirectory Services

    Secure E-MailSecure E-Mail Mobile AccessMobile Access

    Hosted TelephonyHosted TelephonyVideoconferencingVideoconferencingStorage HostingStorage Hosting Business ContinuanceBusiness Continuance

    Unified MessagingUnified Messaging

    SPMetro Ethernet

    Network

    Metro Ethernet: Emerging MultiserviceAccess Opportunity

  • 595959 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    u-PE

    10/100/1000 Mpbs

    10/100/

    1000 Mpbs

    Metro D

    Hub &Spoke

    Metro C

    10/100/1000 Mpbs

    u-PESiSiGE Ring

    Metro Au-PE

    PE-AGG

    10/100/1000 Mpbs

    DWDM/CDWM

    Metro B

    u-PE

    P Pn-PE

    VPLS NetworkVPLS Network

    n-PE

    PP

    SONET/SDHRing

    n-PE

    C7600C7600

    C7600

    Delivers Ethernet-based multipoint L2 VPN service

    Enhances L2 VPN scalability (geographic sites & no. of customers)

    Leverages existing SP MPLS Core

    Supports operational speeds of GB to 10 GB

    On track for IETF standardization: Draft Lasserre-Kompella

    Uses familiar Ethernet user network interface

    VPLS Overview for Metro Ethernet

  • 606060 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Virtual Private LAN Services (VPLS)

    VPLS defines an architecture that delivers Ethernet Multipoint Services (EMS) over an MPLS network

    VPLS operation emulates an IEEE Ethernet bridge Two VPLS drafts in existance

    Draft-ietf-l2vpn-vpls-ldp-01draft-ietf-l2vpn-vpls-bgp-01

    PEMPLS

    Network

    PECE CE

    VPLS Is An Architecture

    CE

  • 616161 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    VPLS & H-VPLS

    H-VPLSTwo Tier HierarchyMPLS or Ethernet EdgeMPLS Core

    VPLS Direct AttachmentSingle Flat HierarchyMPLS to the Edge

    192.168.11.1/24

    192.168.11.2/24

    192.168.11.12/24

    192.168.11.11/24192.168.11.25/24

    MPLS EdgeMPLS Core

    PW

    n-PEPE-POP

    PE-rs

    u-PEPE-CLEMTU-s

    u-PEPE-CLEMTU-s

    n-PEPE-POP

    PE-rsGE

    Ethernet EdgePoint-to-Point or Ring

    VPLS

    H-VPLS

  • 626262 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    VPLS Components

    n-PE

    n-PE

    n-PE

    PW

    PW

    PW

    CE

    CE

    CE

    CE

    CE

    CE

    CE

    CE

    Tunn

    el L

    SPTunnel LSP

    Tunnel LSP

    Green VSIBlue VSI

    Red VSI

    Green VSIBlue VSI

    Red VSI

    Red VSIBlue VSI

    Legend

    CE - Customer Edge Devicen-PE - network facing-Provider EdgeVSI - Virtual Switch InstancePW - Pseudo-WireTunnel LSP - Tunnel Label Switch Path that

    provides PW transport

    Attachment Circuit

    Full Mesh of PWs between VSIs

    Directed LDP session between participating PEs

  • 636363 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    VPN & VPLS Desirable Characteristics

    Auto-discovery of VPN membershipReduces VPN configuration and errors associated with configuration

    Signaling of connections between PE devices associated with a VPN

    Forwarding of framesAToM uses Interface based forwardingVPLS uses IEEE 802.1q Ethernet Bridging techniques

    Loop preventionMPLS Core will use a full mesh of PWs and split-horizonforwardingH-VPLS edge domain may use IEEE 802.1s Spanning Tree, RPR, or SONET Protection

  • 646464 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    VPLS: Layer 2 Forwarding InstanceRequirements

    Flooding / Forwarding: MAC table instances per customer and per customer VLAN (L2-VRF idea)

    for each PE VSI will participate in learning, forwarding process Uses Ethernet VC-Type defined in pwe3-control-protocol-xx

    Address Learning / Aging: Self Learn Source MAC to port associations Refresh MAC timers with incoming frames New additional MAC TLV to LDP

    Loop Prevention: Create partial or full-mesh of EoMPLS VCs per VPLS Use split horizon concepts to prevent loops Announce EoMPLS VPLS VC tunnels

    A Virtual Switch MUST operate like a conventional L2 switch!

  • 656565 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    VPLS Deployment:SMB Connectivity

    New Layer 2 multipoint service offering Enterprise maintains routing and administrative autonomy Layer 3 protocol independence Full mesh between customer sites

    MPLS NetworkCE-SITE1 CE-SITE2

    SFO-PE NYC-PE

    DFW-PE

    CE-SITE3

  • 666666 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    SP-As PEs appear back to back and packets are forwarded No LDP or Route exchange with transit provider Provides optimal traffic path to carriers PE

    VPLS Deployment:Layer 2 Multipoint Transit Provider

    Transit Provider Network

    SP-A SP-A

    CE-1

    CE-1

    FRoMPLSLDP

    VPLS

  • 676767 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Ethernet OAM Future

    CECE

    Customer Domain

    Provider Domain

    Operator Domain

    Operator Domain

    Operator Domain

    Eth AccessMPLS Core

    Eth Access

    Customer CustomerService Provider

    Ethernet-LMI: Automated config of CE based on EVCs and bw profiles; L2 connectivity mgmt

    802.3ah Eth in First Mile: When applicable, physical connectivity mgmt betw devices. Most applicable to first mile

    802.1ag Connectivity Fault Management: Uses Domains to contain OAM flows & bound OAM responsibilities Provides per EVC connectivity mgmt and fault isolation Three types of packets: Continuity Check, L2 Ping, L2 Traceroute

    Cisco driving standards

    ITU-T SG 13 and SG 15: Ethernet Layer Netw Arch (G.8010 SG 15) Ethernet OAM Functionality (Y.ethoam SG 13) Reqts for OAM in Ethernet based netw (Y.1730 SG 13) IEEE: 802.3ah Ethernet in First Mile (Physical OAM); 802.1ad Provider Bridges 802.1ag Connectivity Mgmt (Per VLAN OAM)MEF:E-LMI

    MPLS OAM: VCCV, LSP Ping/Traceroute

  • 686868 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Agenda Dynamics and Background Layer 3 : Half-Duplex VRF Inter-Provider : Layer 3 Inter-Provider: Layer 2 A Word on VPLS A Word on Traffic Engineering Management Considerations and MPLS OAM Security Considerations What About G-MPLS? Summary

  • 696969 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Why Traffic Engineering?

    Congestion in the network due to changing traffic patternsElection news, online trading, major sports events

    Better utilization of available bandwidthRoute on the non-shortest path

    Route around failed links/nodesFast rerouting around failures, transparently to usersLike SONET APS (Automatic Protection Switching)

    Build New ServicesVirtual leased line servicesVoIP Toll-Bypass applications, point-to-point bandwidth guarantees

    Capacity planningTE improves aggregate availability of the network

  • 707070 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Background Why Have MPLS-TE? IP networks route based only on destination (route) ATM/FR networks switch based on both source and destination

    (PVC, etc) Some very large IP networks were built on ATM or FR to take

    advantage of src/dst routing Overlay networks inherently hinder scaling (see The Fish

    Problem) MPLS-TE lets you do src/dst routing while removing the major

    scaling limitation of overlay networks MPLS-TE has since evolved to do things other than bandwidth

    optimization

  • 717171 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Traffic Engineering services

    Traffic engineering offers the carrier mechanisms to optimise their infrastructure.

    Distributing trafficPre-built back-up pathsTraffic separation over different TE paths

    Solution ExamplesBasic Traffic engineeringDiffserv aware TETE optimisation toolsFRR using TE

    IP/MPLS

  • 727272 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    MPLS Traffic Engineering in Core

    - MPLS TE Tunnels MAY be used to distribute aggregate load via Constraint Based Routing - avoid congestion- in this example, routing PE1!!!!PE2 traffic (80Mb/s) and PE1!!!!PE3 traffic (90Mb/s) on separate path in the core avoids congestion

    IP/MPLSPE1

    PE3

    PE2

    150

    150

    RFC2702 Requirements for MPLS Traffic EngineeringRFC3209 RSVP extensions for LSP Tunnels

  • 737373 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    InterAS TE

    IP/MPLS

    TE Tunnel spanning multiple Autonomous SystemsAllows bandwidth reservations to span multiple domains

    draft-zhang-mpls-interas-te-req-xx, draft-vasseur-inter-as-te-xxdraft-vasseur-mpls-loose-path-reopt-xx, draft-vasseur-mpls-nodeid-subobject-xx

  • 747474 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Diff-Serv-aware Traffic Engineering (DS-TE) in Core

    - MPLS DS-TE Tunnels MAY be used to carry separately different classes of service- canonical example is separate tunnels for Voice and for Data-facilitates strict enforcement of different QoS objectives for differnet classes WITHOUT over-engineering- per class CAC (eg. route Voice tunnels taking into account the EF queue capacity and not just the link capacity)- per class C-SPF (eg. Use a hop/Bw based metric for data tunnels and a delay-based metric for voice tunnels)

    IP/MPLS

  • 757575 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Diff-Serv-aware Traffic Engineering (DS-TE) in Core

    IP/MPLS

    RFC3564 Requirements for Diff-Serv-aware MPLS Traffic Engineeringdraft-ietf-tewg-diff-te-proto-xxdraft-ietf-tewg-diff-te-russian-xxdraft-ietf-tewg-diff-te-mam-xxPath Computation Element (PCE) WG Now.The PCE Working Group is chartered to specify a Path Computation Element(PCE) based architecture for the computation of paths for MPLS and GMPLSTraffic Engineering LSPs

  • 767676 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Applicability of Core QoS mechanims

    What should be deployed: ???- Nothing- MPLS TE- MPLS Diff-Serv- MPLS TE + MPLS Diff-Serv- Diff-Serv-aware TE

  • 777777 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Applicability of Core QoS mechanims

    ResourceOptimisation(reduce spending)

    ServiceDifferentiation(increase revenue)

    ?

    What should be deployed: ???- Nothing- MPLS TE- MPLS Diff-Serv- MPLS TE + MPLS Diff-Serv- Diff-Serv-aware TE

    ?

    ?

    ?

    ?

  • 787878 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Applicability of Core QoS mechanims

    ResourceOptimisation

    ServiceDifferentiation

    NothingNothing

    No need for differentiation in Core(Best Effort in Core is good enough for all traffic)

    No need for optimisation(sufficient resources on all links)

    !!!! Deploy NOTHING

  • 797979 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Applicability of Core QoS mechanims

    ResourceOptimisation

    ServiceDifferentiation

    Diff-Serv

    Need for differentiation in Core(Best Effort in Core is not good enough for voice)

    No need for optimisation(sufficient resources on all links)

    !!!! Deploy Diff-Serv

  • 808080 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Applicability of Core QoS mechanims

    ResourceOptimisation

    ServiceDifferentiation

    TE

    No Need for differentiation in Core(Best Effort in Core is good enough for all traffic)

    Need for optimisation(delay deployment of additional links)

    !!!! Deploy TE

  • 818181 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Applicability of Core QoS mechanims

    ResourceOptimisation

    ServiceDifferentiation

    TE+ Diff-Serv

    Need for differentiation in Core(Best Effort in Core is not good enough for Voice)

    Need for optimisation(delay deployment of additional links)

    !!!! Deploy TE and Diff-Serv

  • 828282 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Applicability of Core QoS mechanims

    ResourceOptimisation

    ServiceDifferentiation

    DS-TE+ Diff-Serv

    Need for very strong differentiation in Core

    (Guaranteed Bandwidth services)

    Need for fine optimisation(delay deployment ofadditional links)

    !!!! Deploy DS-TE and Diff-Serv

  • 838383 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Appicability of Core QoS mechanisms

    ResourceOptimisation

    ServiceDifferentiation

    NothingNothing

    Diff-Serv

    TE

    TE+ Diff-Serv

    DS-TE+ Diff-Serv

    OperationalComplexity

    Lower Capital Costsfor operator !!!! cheaper servicefor end-user

    Higher Quality Service for end-user

  • 848484 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Agenda Dynamics and Background Layer 3 : Half-Duplex VRF Inter-Provider : Layer 3 Inter-Provider: Layer 2 A Word on VPLS A Word on Traffic Engineering Management Considerations and MPLS OAM Security Considerations What About G-MPLS? Summary

  • 858585 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Where does MPLS OAM fit

    MPLS OAM mechanisms applicable between Ingress and Egress Provider Edges;

    Label Switched Path (LSP) created by Control protocols such as Label Distribution Protocol and/or RSVP-TE

    IngressPE

    CECE

    MPLS OAM

    End-End OAM

    Attachment VCOAMs

    EgressPE

    Attachment VCOAMs

    Pseudowire, Traffic Engineering or

    VPN Label

    LSP created by LDP and/or RSVP-TE

    .

  • 868686 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    MPLS LSP Ping/Traceroute

    Draft-ietf-mpls-lsp-ping-06.txtIETF StandardsIETF Standards

    IPv4 LDP prefix, VPNv4 prefix TE tunnel MPLS PE, P connectivity for MPLS transport, MPLS VPN, MPLS TE

    applications

    ApplicationsApplications

    MPLS LSP Ping (ICMP) for connectivity checks MPLS LSP Traceroute for hop-by-hop fault localization MPLS LSP Traceroute for path tracing

    SolutionSolution

    Detect MPLS traffic black holes or misrouting Isolate MPLS faults Verify data plane against the control plane Detect MTU of MPLS LSP paths

    RequirementRequirement

  • 878787 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    MPLS AToM Virtual Circuit Connection Verification ( VCCV)

    Draft-ietf-pwe3-vccv-xx.txtIETF StandardsIETF Standards

    Layer 2 transport over MPLSFRoMPLS, ATMoMPLS, EoMPLS

    ApplicationsApplications

    AToM VCCV allows sending control packets in band of an AToM pseudowire. Two components:

    Signaled component to communicate VCCV capabilities as part of VC labelSwitching component to cause the AToM VC payload to be treated as a control packet

    Type 1: uses Protocol ID of AToM Control wordType 2: use MPLS router alert label

    SolutionSolution

    Ability to provide end-to-end fault detection and diagnostics for an emulated pseudowire service

    One tunnel can serve many pseudowires.MPLS LSP ping is sufficient to monitor the PSN tunnel (PE-PE connectivity), but not VCs inside of tunnel

    RequirementRequirement

  • 888888 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Attributes of BFD

    Protocol Independence Media Independence Fast failure detection

    Light Weight, Fixed Length; simple to parse

    Forwarding plane livelinessE.g., Link may be up but forwarding engine may be down or an entry may

    be incorrectly programmed. No discovery mechanism in BFD

    Applications bootstrap a BFD session

    OSPFISIS

    RSVP

    . . .

    BGP

    OSPFISIS

    RSVP

    . . .

    BGPBFD BFDFast Hello

    Direct physical links Multi-hop routed paths Virtual circuits, Tunnels MPLS LSPs Bi/uni-directional links

    LDP

    Fwd Engine

    Fwd Engine

    LDP

  • 898989 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    MPLS BFD Vs. LSP Ping

    LowNOYESMPLS-BFD

    Higher than BFDYESYESLSP Ping

    Protocol Overhead

    Control Plane Consistency

    Data Plane Failure

    DetectionMethod

    MPLS-BFD can complement LSP Ping to detect a data plane failure in the forwarding path of a MPLS LSP

    Supported FECs: RSVP IPv4/IPv6 Session, LDP IPv4/IPv6 prefix VPN IPv4/IPv6 prefix, Layer 2 VPN, Layer 2 Circuit ID

  • 909090 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    VCCV BFD Vs. VCCV Ping

    LowNOYESVCCV-BFD

    Higher than BFDYESYESVCCV Ping

    Protocol Overhead

    Control Plane Consistency

    Data Plane Failure

    DetectionMethod

    VCCV-BFD can complement VCCV-LSP Ping to detect a data plane failure in the forwarding path of a PW

    VCCV-BFD works over MPLS or IP networks; Multiple PSN Tunnel Type MPLS, IPSEC, L2TP, GRE, etc.

  • 919191 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Agenda Dynamics and Background Layer 3 : Half-Duplex VRF Inter-Provider : Layer 3 Inter-Provider: Layer 2 A Word on VPLS A Word on Traffic Engineering Management Considerations and MPLS OAM Security Considerations What About G-MPLS? Summary

  • 929292 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Three Pillars of Security

    securityA

    rchi

    tect

    ure

    /A

    lgor

    ithm

    Impl

    emen

    tatio

    n

    Ope

    ratio

    nBreak one, and all security is gone!

  • 939393 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    What Kind of Threats?

    Threats from Outside the BackboneFrom VPN customersFrom the Internet

    Threats from Inside the BackboneSP misconfigurations (error or deliberate)Hacker on the line in the core

    Threats that are independent of MPLSCustomer network security

    Reference model for best practice deployments

  • 949494 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Why is MPLS Security Important?

    Customer buys Internet Service:Packets from SP are not trusted!!!! Perception: Need for firewalls, etc.

    Customer buys a VPN Service:Packets from SP are trusted!!!! Perception: No further security required

    SP Must Ensure Secure MPLS Operations

  • 959595 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Still Open: RoutingProtocol

    Only Attack Vector: Transit

    Traffic

    Now Only Insider Attacks

    Possible

    Avoid Insider Attacks

    Protecting an MPLS/VPN CoreOverview

    1. Dont let packets into (!) the coreNo way to attack core, except through routing, thus:

    2. Secure the routing protocolNeighbor authentication, maximum routes, dampening,

    3. Design for transit trafficQoS to give VPN priority over InternetChoose correct router for bandwidthSeparate PEs where necessary

    4. Operate Securely

  • 969696 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Best Practice Security Overview (1)

    Secure devices (PE, P): They are trusted! Core (PE+P): Secure with ACLs on all interfaces

    Ideal: deny ip any

    Static PE-CE routing where possible If routing: Use authentication (MD5) Separation of CE-PE links where possible

    (Internet / VPN) LDP authentication (MD5) VRF: Define maximum number of routesNote: Overall security depends on weakest link!

  • 979797 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    In order of security preference: 1. Static: If no dynamic routing required

    (no security implications)2. BGP: For redundancy and dynamic updates

    (many security features)3. IGPs: If BGP not supported

    (limited security features)

    PE-CE Routing Security

  • 989898 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    ACL and secure routing

    Securing the MPLS CoreMPLS core

    Internet

    VPNVPN PE

    CE

    CE

    CE

    CE

    CE CE

    PE

    PEPE

    PE

    P

    P

    P

    VPN

    VPN

    VPN

    BGP Route Reflector

    BGP peering with MD5 authentic.

    LDP with MD5

  • 999999 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Use IPsec if you need:

    Encryption of traffic Direct authentication of CEs Integrity of traffic Replay detection

    Or: If you dont want to trust your ISP for traffic separation!

    Maybe more important than

    encryption?

  • 100100100 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    End-to-End Security with IPsec

    Encryption: Data invisible on core Authentication: Only known CEs Integrity: Data not changed in transit

    MPLS core

    CE PEPE P PVPNVPN

    CE

    VPNPE labelIP dataIP sec IP dataIP secIP dataIP sec

  • 101101101 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    CE PE PE CE

    IPSec CE-CE

    IPSec PE-PE

    IPSec CE-PE

    Application: VPN Security

    Application: Special Cases

    (see later)

    Application: Remote Access into VPN

    Where to Apply IPSec

  • 102102102 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Where to do IPsec

    1. CE to CESP not involved (unless manages CEs)MPLS network only sees IPsec traffic Very secure

    2. PE to PEDoes not prevent sniffing access lineNot very secure for the customerThere are some specific applications for this (US ILECs)

    MixturesNeed to trust SPMostly for access into VPN

  • 103103103 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Applications of PE-PE IPSec

    If core is not pure MPLS, but IP basedStandard 2547bis requires MPLS core, PE-PE IPSec does not Alternative: MPLS in IP/GRE/L2TPv3, but with PE-PE IPSec spoofing impossible

    Protect against misbehaving transit nodes Protection against sniffing on core lines Protection of pseudowire construct in Inter-AS

  • 104104104 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Non-Application: Customer Security

    Hacker wants to IPSec IPSecCE-CE PE-PE

    Protects Fully

    Doesnt Protect

    Protects Partially

    Protects Fully

    Protects Fully

    Protects Partially

    Doesnt Protect

    Doesnt Protect

    read VPN traffic

    insert traffic into VPN

    join a VPN

    DoS a VPN / the core

  • 105105105 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    MPLS doesnt provide:

    Protection against mis-configurations in the core

    Protection against attacks from within the core

    Confidentiality, authentication, integrity, anti-replay Use IPsec if required Customer network security

  • 106106106 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Agenda Dynamics and Background Layer 3 : Half-Duplex VRF Inter-Provider : Layer 3 Inter-Provider: Layer 2 A Word on VPLS A Word on Traffic Engineering Management Considerations and MPLS OAM Security Considerations What About G-MPLS? Summary

  • 107107107 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    CoreDistributionCPE Aggregation

    Legacy Data Reference Architecture Today Separate Layers

    Optical

    Optical

    SDH/SONETATM

    SDH/SONETATM

    SDH/SONETSDH/SONET

    channelised / LL

    ATM/FR

    Mod / TA PSTN

    SDH

    IP/MPLS

    ATM/FR

    PoP Services

    Internet

    PSTN

    HFC

    Optical Fibre Plant

  • 108108108 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    What is Happening in Core ?

    Core bandwidth is increasingBroadband basedNew Business services

    Slot count pressure 10 Gbps in production in larger PTT networks 40 Gbps requirement appearing 100 Gbps under discussion !

    IP

  • 109109109 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    CoreDistributionCPE Aggregation

    Data Reference ArchitectureFuture IP + Optical

    OpticaldWDM dWDM

    Ethernet / channelised / LL

    ATM/FR

    Mod / TA PSTN

    802.11

    Multi-Service optical transport

    IP/MPLS

    PoP Services

    Internet

    PSTN

    HFC

    GMPLS

  • 110110110 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Core Infrastructures Option 1 P-to-P DWDM / Dark Fibre / GE Switches

    Simplest model Very high BW connections

    STM-16c STM-256c, RPR, GE, 10GE WAN PHY & LAN PHY Long Distance

    Static - Does it matter ? No layer 1 recovery

    L3 or FRR

    Cheap and efficient solution

  • 111111111 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Core Infrastructures Option 2Overlay without Signalling

    OXC OXC

    SDH / optical core

    Control plane

    Router connected to optical network No signalling interaction Limited interaction between Router and optical layer Backup at either L1 or L3 More dynamic / more cost Bandwidth capabilities determined by SDH / Optical layer

  • 112112112 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Core Infrastructures Option 3 Overlay with UNI

    OXC OXC

    SDH / optical coreUNI UNI

    Control plane

    Optical UNI interface between Router and Optical Layer Overlay model Dynamic bandwidth / BW on demand

    Initiated from the edge Bandwidth capabilities determined by Optical Layer

  • 113113113 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Core Infrastructures Option 4 Peer Model GMPLS / G.ASON /

    OXC OXC

    Meshed optical core

    GMPLS GMPLSGMPLS

  • 114114114 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Forwarding Plane

    . when MPLS started

    ControlPlane

    MPLS DomainATM LSP

    Packet LSP

    IP Routing ProtocolsMPLS Domain - OSPF, ISIS, iBGP

    Outside RIP2, BGP4

    Label Distribution ProtocolsLDP, RSVP

    Router

    Router

    Router

    Router

    Router

    Router

    Packet LSR Packet LSR

    Packet LSRPacket LSR

    ATM LSR

    ATM LSR

    ATM LSR

    General-purpose tunneling mechanismcarry IP and non-IP payloadsuses label switching to forward packets/cells through the networkcan operate over any data-link layer

    Separate Control Plane from Forwarding Plane

    Effort began 1996 .. RFCs out 2001 RFC 3031 MPLS Architecture

  • 115115115 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Forwarding Plane

    . MPLS TE emerged

    ControlPlane

    MPLS Domain

    MPLS TEusing

    RSVP TE

    TE LSP

    Router

    Router

    Router

    Router

    Router

    Router

    Packet LSR Packet LSR

    Packet LSRPacket LSR

    ATM LSR

    ATM LSR

    ATM LSR

    Constraint-based routing LSP tunnel established over set of links and nodesTunnel meets requested BW and/or policy constraints

    LSP tunnels are uni-directional ptpconnections

    Packets no longer need to follow shortest path

  • 116116116 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Forwarding Plane

    MPS Domain

    . then came MPS

    ControlPlane

    IP Routing ProtocolsOSPF, ISIS

    Label Distribution ProtocolsLDP, RSVP TE

    MPLS TERSVP TE

    TE LSP

    TE LSPRouter

    Router

    Router

    Router

    Router

    Router

    OXC

    OXCOXC

    OXC

    OXC OXC

    OXC

    Extend MPLS TE protocols to control optical cross-connect (OXC)

    LSRs are like OXC LSPs are like optical connectionsReuse IP/MPLS protocols

    Advantagesfast provisioning of optical connectionsUnified IP/Optical Control Plane

    draft-awduche-mpls-te-optical-03.txt Q2 2001

  • 117117117 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Forwarding Plane

    GMPLSDomainOTN

    . finally Generalized MPLS - GMPLS

    GMPLS ControlPlane IP Routing Protocols

    With ExtensionsOSPF, ISIS

    Label Distribution ProtocolsCR LDP, RSVP TE

    MPLS TERSVP TE

    GMPLS control plane supports multiple switching and forwarding planes

    Introduces new functions to accommodate circuit-oriented optical network regimes

    GMPLS = MPLS + MPS + N where N is MPLS control of new switching planes draft-ietf-ccamp-gmpls-architecture-07.txt

    TE GMPLSPath

    TE GMPLSPath

    Router

    Router

    Router

    Router

    Router

    RouterSONETSDH NE

    SONETSDH NE

    SONETSDH NE

    SONETSDH NE

    OXC

    OXC OXC

  • 118118118 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    O-UNI Multi-Service Network Applications

    Service ProviderOptical Network

    IP Router

    IP Router

    O-UNI

    O-UNI

    O-UNI

    O-UNI

    O-UNI

    O-UNI

    Service Provider offering dynamic optical paths for myriad of optical client equipment and networks

    Offer Bandwidth On Demand, OVPN, and new Transport classes of services

    SONETSDH NE

    SONETSDH NE

    ATM LSR

    ATM LSR

    OXC

    OXCOXC

    OXC

  • 119119119 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Research & Education Network Tiers

    Advanced Education Networks

    Next generation architecture and applications

    for researchcommunity

    Advanced servicesfor education

    General UseC o m m o d i t y I n t e r n e t

    I2-Abilene, SurfNet 5CALREN

    ISPs

    TeragridWIDECALRENNLR

    LEADERS NETWORK TYPE CAPABILITIES/USERS

    Experimental environments for network researchers

    ExperimentalNetworks

    ResearchWeb100NLR

  • 120120120 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Agenda Dynamics and Background Layer 3 : Half-Duplex VRF Inter-Provider : Layer 3 Inter-Provider: Layer 2 A Word on VPLS A Word on Traffic Engineering Management Considerations and MPLS OAM Security Considerations What About G-MPLS? Summary

  • 121121121 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    MPLS: The Key Technology for the delivery of L2 & L3 Services

    IP+ATM SwitchIP+ATM Switch

    PNNIPNNI MPLSMPLS

    IPIP

    IPIPServicesServices

    ATMATMServicesServices

    IP+ATM: MPLS Brings IP and ATM Together eliminates IP over ATM overhead and complexity one network for Internet, Business IP VPNs, and transport

    Network-Based VPNs with MPLS:a Foundation for Value Added Service Delivery

    flexible user and service grouping (biz-to-biz) flexibility of IP and the QoS and privacy of ATMenables application and content hosting inside each VPN transport independent low provisioning costs enable affordable managed services

  • 122122122 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    MPLS Traffic Engineering Provides Routing on diverse paths to avoid congestion Better utilization of the network Better availability using Protection Solution (FRR)

    Guaranteed Bandwidth ServicesCombine MPLS Traffic Engineering and QoSDeliver Point-to-point bandwidth guaranteed pipesLeverage the capability of Traffic EngineeringBuild Solution like Virtual leased line and Toll Trunking

    MPLS: The Key Technology for the delivery of L2 & L3 Services

  • 123123123 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    IP+Optical SwitchIP+Optical Switch

    OO--UNIUNI MPLSMPLS

    IPIP

    IPIPServicesServices

    OpticalOpticalServicesServices IP+Optical Integration

    eliminates IP over Optical Complexity Uses MPLS as a control Plane for setting up lightpaths (wavelengths)

    one control plane for Internet, Business IP VPNs, and optical transport

    Any Transport over MPLSTransport ATM, FR, Ethernet, PPP over MPLSProvide Services to existing installed baseProtect Investment in the installed gearLeverage capabilities of the packet coreCombine with other packet based services such as MPLS VPNsATM

    FrameRelay

    FrameRelay

    MPLS: The Key Technology for the delivery of L3 Services

  • 124 2003 Cisco Systems, Inc. All rights reserved.APRICOT 2005

    Questions?